Hi Todd,
This must be the hot topic.
I received a very similar question from one of our clients today. (Can we have
multi-site Check
Point clusters over DWDM?)
Cluster definition is very subjective. But the common active-active cluster
types for Check Point
(e.g. cluster xl, IP clustering) usually require identical IP subnets on member
gateways (like HA
setups). In a multi-site cluster all segments of both members must share L2
connectivity for a
true cluster.
Even if you have high speed L2 connectivity for sync networks, most of the
datacenters have a
separate IP addressing schema for redundant operations. Multi-site multicast
propagation and
latency issues must be addressed as well.
I would recommend 3rd party DNS based solutions for inbound connections. (Where
dynamic routing is
not an option like your env.) You may also check the link controller (ISP
sharing) scenarios for
outbound traffic.
You may also use Check Point MEP configuration for inbound VPN connections.
You mention that multiple VLANs terminating on the external that will bring
lots of problems.
Check Point will treat those segments as external, and if you have VPN
connectivity you will have
really tough time. I would rather define the Extranet WAN side as internal
instead of multiple
external interfaces.
With NGX, route based VPNs and dynamic routes would be the remedy for your
status but as you have
stated it is not an option for you.
cheers,
- yinal ozkan
INTEGRALIS
p.s. if your questions are specific to single site active-active clusters, we
may elaborate more.
--- "Larson, Todd (LNG-DAY)" <Todd.Larson AT LEXISNEXIS DOT COM> wrote:
> I've been tasked with investigating an active/active gateway cluster,
> with one firewall at each location (not a pair). Currently, we have
> significant experience in deploying HA clusters, but little with
> Active/Active Clusters.
>
> I'm looking for insights and/or gotchas from those who traveled this
> road before I. A high-level overview of our infrastructure is this:
> Datacenters are connected via DWDM (big fast pipe) connecting the
> backend (i.e. Internal private networks). External networks, the
> cluster will front
> Secure Extranet WAN connections accessible from either datacenter.
>
> The firewalls will not participate in dynamic routing. The external side
> of
> the cluster will have multiple VLANS terminated on one interface (a
> design
> requirement).
>
> Any thoughts or advice would be much appreciated.
>
> Todd
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
